Hello, Commit 04e35f4495dd560db30c25efca4eecae8ec8c375 "exec: avoid RLIMIT_STACK races with prlimit()" that made it into 4.14.4 effectively changes the default hard RLIMIT_STACK on machines with SELinux (seen on Fedora 27).
selinux_bprm_set_creds() sets bprm->secureexec for any SELinux domain transition that does not have the "noatsecure" permission. The secureexec logic thus kicks in for virtually every process launched by PID 1 systemd (init_t), including gettys, display managers, etc. I can see that 8 MiB "should be enough for everyone" using normal software, but sadly the HPC stuff around here tends to need a little more (due to a deficiency in gfortran). Minimal example (the actual types are not too important): # /bin/ulimit -Hs unlimited # runcon -r system_r -t sysadm_t runcon -t rpm_script_t /bin/ulimit -Hs 8192 Of course this can be somewhat worked around by adjusting the SELinux policy (allowing blanket noatsecure permission for init_t and possibly others) or by pam_limits (for components using PAM). Unfortunately, systemd's LimitSTACK= is also broken (calls setrlimit before exec). Anyway, I wasn't expecting any of that in connection with the 4.14.3->.4 upgrade. -- Best regards, Tomáš Trnka Software for Chemistry & Materials
